# Diagrams — Deep-Dive DD-09: NemoClaw — The Governance-Focused Harness

**Deep-Dive**: DD-09 — NemoClaw: The Governance-Focused Harness
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — Governance Layer (the NemoClaw contribution)

**Type**: Layered nesting
**Purpose**: The orientation diagram. Shows the defining architectural property: the governance layer (NeMo Guardrails + OpenShell) sits BETWEEN the agent and the world, outside the agent's reach. The agent cannot disable what it cannot see.
**Reading the diagram**: The agent process sits above the governance layer; the world sits below it. Every call passes through governance evaluation. The agent has no path around the governance layer to reach the world directly. This is Module 0.2's principle in production.

```mermaid
flowchart TB
    AGENT["Agent process\n(loop + tools + memory)\nOpenClaw core"] --> GOV
    GOV["Governance Layer\nNeMo Guardrails + OpenShell\nOUTSIDE the agent's reach\ninput rail / dialog rail / action rail"]
    GOV --> WORLD[("World: channels + fs + shell")]
    NOTE["The agent CANNOT reach the governance layer\nto disable it. Every call passes through.\nThe enforcement sits in the call path,\nnot in the context. Module 0.2 in production."]
    GOV --> NOTE
    style AGENT fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
    style GOV fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
    style WORLD fill:#08080c,stroke:rgba(255,255,255,0.1),color:#9494a0
    style NOTE fill:#08080c,stroke:#5eead4,color:#5eead4
```

---

## Diagram 2 — NemoClaw vs OpenClaw (the fix)

**Type**: Two-track comparison (vulnerable vs fixed)
**Purpose**: Shows what NemoClaw adds over its parent OpenClaw (DD-07). OpenClaw sends agent actions directly to the world with no trust boundary; NemoClaw inserts NeMo Guardrails between agent and world, tagging untrusted content and enforcing policy.
**Reading the diagram**: Left track = OpenClaw (agent → world, no boundary, cross-channel injection succeeds). Right track = NemoClaw (agent → guardrails → world, content tagged, policy enforced). The governance fork is the entire contribution.

```mermaid
flowchart LR
    subgraph OC["OpenClaw (DD-07) — VULNERABLE"]
        direction TB
        OCA["Agent"] --> OCW["World\nNO trust boundary\ncross-channel injection succeeds"]
    end
    subgraph NC["NemoClaw (DD-09) — FIXED"]
        direction TB
        NCA["Agent"] --> NCG["NeMo Guardrails\ntags untrusted + enforces policy\n+3 Module 6, +2 Module 5"]
        NCG --> NCW["World\n(via OpenShell sandbox)"]
    end
    OC -.->|governance fork| NC
    style OC fill:#14141f,stroke:rgba(240,128,128,0.5),color:#e4e4e8
    style NC fill:#14141f,stroke:rgba(94,234,212,0.5),color:#e4e4e8
    style OCA fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style OCW fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style NCA fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
    style NCG fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
    style NCW fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
```

---

## Diagram 3 — The Three Rails (input, dialog, action)

**Type**: Bracketing flow
**Purpose**: Shows how the three NeMo Guardrails classes bracket the agent. The input rail runs before the model is called (the agent cannot disable it by injection); the dialog rail checks output before action; the action rail validates side-effecting calls. All three are outside the agent's trust boundary.
**Reading the diagram**: The agent sits in the center. The input rail is before the model call; the dialog rail is after the model responds; the action rail is before the tool executes. The agent is bracketed — it cannot reach any rail to disable it because each rail runs at a point in the call path the agent does not control.

```mermaid
flowchart LR
    INPUT["External input\n(channel content, tool output)"] -->|input rail| TAG["Tag UNTRUSTED\nscan for injection\nASI01 fix"]
    TAG --> MODEL["Agent / Model\nreasons + proposes"]
    MODEL -->|dialog rail| OUTPUT["Check response\nagainst policy\nhijacked output caught"]
    OUTPUT -->|action rail| ACTION["Validate tool call\nagainst capability policy\nModule 6 external"]
    ACTION --> EXEC["Execute\n(via OpenShell sandbox)"]
    NOTE["All three rails run OUTSIDE\nthe agent's trust boundary.\nThe agent cannot disable an input rail\nby injection (it runs before the model).\nIt cannot bypass an action rail\nby reasoning (it runs after the proposal)."]
    EXEC --> NOTE
    style INPUT fill:#08080c,stroke:rgba(240,168,104,0.3),color:#f0a868
    style TAG fill:#08080c,stroke:#5eead4,color:#5eead4
    style MODEL fill:#08080c,stroke:rgba(255,255,255,0.1),color:#e4e4e8
    style OUTPUT fill:#08080c,stroke:#5eead4,color:#5eead4
    style ACTION fill:#08080c,stroke:#5eead4,color:#5eead4
    style EXEC fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
    style NOTE fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```

---

## Diagram 4 — The NemoClaw-vs-Tau Contrast (load-bearing for Course 2B)

**Type**: Side-by-side pole comparison
**Purpose**: The load-bearing diagram for the curriculum. NemoClaw and Tau are the two extremes of the governance axis. Every Course 2B attack module is scored against the question they pose: does this harness enforce governance outside the agent's reach? NemoClaw is the yes; Tau is the no.
**Reading the diagram**: Left pole = NemoClaw (all three rails + sandbox + external enforcement). Right pole = Tau (no rails, no sandbox, no enforcement — the attack lab target). The footer names the lesson: governance is where the enforcement layer sits relative to the agent, not a feature you add.

```mermaid
flowchart TB
    subgraph NEMO["NEMOCLAW (DD-09) — all the controls"]
        direction TB
        N1["Input rail: channel content tagged untrusted"]
        N2["Dialog rail: output checked before action"]
        N3["Action rail: tool calls validated"]
        N4["OpenShell sandbox: agent never touches exec"]
        N5["Enforcement OUTSIDE the agent's reach"]
        N1 --> N2 --> N3 --> N4 --> N5
    end
    subgraph TAU["TAU (DD-21) — zero defenses"]
        direction TB
        T1["No input rail: all input full trust"]
        T2["No dialog rail: output acted on directly"]
        T3["No action rail: actions execute unvalidated"]
        T4["No sandbox: agent executes on host"]
        T5["No enforcement layer at all"]
        T1 --> T2 --> T3 --> T4 --> T5
    end
    LESSON["LESSON (load-bearing for Course 2B):\nGovernance is NOT a feature you add to an agent.\nIt is an architectural property of WHERE\nthe enforcement layer sits relative to the agent.\nNemoClaw puts it outside; Tau does not have one.\nEvery other harness sits between these two poles."]
    NEMO --> LESSON
    TAU --> LESSON
    style NEMO fill:#14141f,stroke:rgba(94,234,212,0.6),color:#e4e4e8
    style TAU fill:#14141f,stroke:rgba(240,128,128,0.6),color:#e4e4e8
    style N1 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
    style N2 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
    style N3 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
    style N4 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
    style N5 fill:#08080c,stroke:#5eead4,color:#5eead4
    style T1 fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style T2 fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style T3 fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style T4 fill:#08080c,stroke:rgba(240,128,128,0.3),color:#f08080
    style T5 fill:#08080c,stroke:#f08080,color:#f08080
    style LESSON fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```

---

## Diagram 5 — NemoClaw Governance Gate (n8n)

**Type**: n8n workflow JSON
**Purpose**: A runnable n8n workflow that models the governance gate. The agent requests an action; NeMo Guardrails evaluates it (ALLOW/DENY); allowed actions execute via OpenShell; denied actions are blocked with the agent unable to override.
**Reading the diagram**: The agent request node cannot reach the execute node directly — it must pass through the guardrail. The guardrail's decision is final; the agent has no path to override a DENY. This is the governance-beneath-the-agent pattern in executable form.

```json
{
  "name": "NemoClaw Governance Gate — DD-09",
  "nodes": [
    { "parameters": { "assignments": { "assignments": [{ "id": "call", "name": "agent_call", "value": "={{ $json.body.call || 'send_message(channel: slack, content: ...)' }}", "type": "string" }]}, "options": {} }, "id": "agent", "name": "Agent Request", "type": "n8n-nodes-base.set", "typeVersion": 3.4, "position": [160, 300], "notesInFlow": true, "notes": "Agent wants to act. But it CANNOT reach the world directly — every call passes through the governance layer." },
    { "parameters": { "model": "gpt-4o-mini", "messages": "={{ [{role:'system',content:'You are a NeMo Guardrail. Evaluate this agent call against policy. Is it allowed? Does it cross a trust boundary? Reply ALLOW or DENY + reason.'},{role:'user',content:$json.agent_call}] }}", "options": {} }, "id": "guardrail", "name": "NeMo Guardrail (OUTSIDE agent)", "type": "@n8n/n8n-nodes-langchain.toolExecuteTool", "typeVersion": 1.1, "position": [400, 300], "notesInFlow": true, "notes": "THE GOVERNANCE LAYER. Evaluates EVERY call. The agent CANNOT reach this node to disable it — it sits between agent and world. Policy is enforced externally." },
    { "parameters": { "conditions": { "combinator": "any", "conditions": [{ "id": "allow", "leftValue": "={{ $json.choices[0].message.content.includes('ALLOW') }}", "rightValue": true, "operator": { "type": "boolean", "operation": "true" } }] } }, "id": "decision", "name": "Policy allows?", "type": "n8n-nodes-base.if", "typeVersion": 2.2, "position": [640, 300] },
    { "parameters": { "command": "={{ 'echo executing (governance-approved): ' + $('Agent Request').item.json.agent_call }}", "executeOnce": true }, "id": "exec", "name": "Execute (via OpenShell)", "type": "n8n-nodes-base.executeCommand", "typeVersion": 1, "position": [880, 200], "notesInFlow": true, "notes": "OpenShell sandbox: the agent never touches the execution environment directly. It goes through the governed API." },
    { "parameters": { "content": "={{ JSON.stringify({ denied: true, reason: $json.choices[0].message.content, note: 'governance layer blocked — agent cannot override' }) }}", "options": {} }, "id": "deny", "name": "DENY (agent cannot bypass)", "type": "n8n-nodes-base.respondToWebhook", "typeVersion": 1, "position": [880, 400], "notesInFlow": true, "notes": "DENIED. The agent cannot reach the governance layer to override this. The enforcement is outside the agent's process — Module 0.2's principle." }
  ],
  "connections": { "Agent Request": { "main": [ [ { "node": "NeMo Guardrail (OUTSIDE agent)", "type": "main", "index": 0 } ] ] }, "NeMo Guardrail (OUTSIDE agent)": { "main": [ [ { "node": "Policy allows?", "type": "main", "index": 0 } ] ] }, "Policy allows?": { "main": [ [ { "node": "Execute (via OpenShell)", "type": "main", "index": 0 } ], [ { "node": "DENY (agent cannot bypass)", "type": "main", "index": 0 } ] ] } },
  "settings": { "executionOrder": "v1" }, "meta": { "templateCreatedBy": "Harness Engineering Master Course — DD-09 NemoClaw" }
}
```

---

## Validation notes

- All diagrams use the course design system colors: `#14141f` panel fill, `#08080c` deep background for nested nodes, `#5eead4` teal accent for the governance/capability surface and principle nodes, `#f0a868` warn for external input and transitions, `#f08080` danger for the vulnerable/ungoverned surface (OpenClaw, Tau). `#e4e4e8` / `#9494a0` for text.
- Paste each Mermaid block into [Mermaid Live Editor](https://mermaid.live) to render. All use stable Mermaid syntax (`flowchart TB/LR`, `subgraph`) supported in current Mermaid (v10.4+).
- The teal/danger color coding is consistent across diagrams: teal = the governed/fixed surface (NemoClaw); danger = the ungoverned/vulnerable surface (OpenClaw, Tau). This mapping is load-bearing — it lets the reader track which side of the governance axis a node belongs to.
